It should come as no surprise that things have changed again. Many of you have already heard about the roll out of the Cybersecurity Maturity Model Certification (CMMC) over the next 5 years and hopefully have started working towards the required level of certification for your organization. But have you heard about the CMMC Interim Rule? 

The CMMC Interim Rule includes a new DoD methodology for NIST 800-171 starting November 30, 2020. The Interim Rule adds DFARS 252.204-7019 and 252.204-7020 and allows for a scoring methodology (Basic, Medium, High). This new methodology requires all DoD contractors and sub-contractors to complete a NIST 800-171 self-assessment and receive a score through the Supplier Performance Risk System (SPRS). 

A Basis Assessment is a self-assessment completed by the contractor, while the Medium and High Assessments are to be completed by the Government. The Government will select contractors for Medium or High review based on the nature of the program.

Please note all self-assessments completed by contractors are given a Basic score, in order to achieve a Medium or High score the assessment must be reviewed by the government. 

Contracting Officers are required to verify the offeror has a current NIST  800-171 DoD Assessment on record prior to contract aware or the exercise of an option.

Certain aspects of the interim rule may change with the issuance of a final rule and additional guidance. Until then, DoD contractors should make plans to implement the new Assessment requirement quickly, and should carefully review all DoD solicitations and contract modifications to understand whether or not the new rule impacts them.

What does this mean for you? It is time for you dust off your POAM and SSP, create an account with SPRS, and go through the self-assessment process.

To find out more about our CMMC auditing services, or any other IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

As we have all been faced with challenges during the COVID-19 pandemic, the way we do business has changed dramatically, with many of us working from home. This has presented hackers with new tactics, and opportunities to cast a wider net on their attacks. IT security has always been important, and during these times that importance is even greater. 

In an ideal world, most companies would have some form of plan or policy on how to securely make the transition from employees working on-site to working from home. Unfortunately, many of us made the transition with little to no time to plan. Now that the dust has settled a bit, although the future is still uncertain when and if we will go back to doing business the way we used to, it is a good time to confirm that employees working remotely are doing so as securely as possible.

Tips on working securely from home

---

Acceptable Use

Employees should follow the same policies and procedures as if they were working in the office.

Only use company set up email, messaging, storage, etc when doing work for the company.

Home Office

If possible, have a private area set up to work. This space should send a clear signal to you that it’s time to focus. To avoid burnout, try to stay away from your workspace when you’re not working, unless absolutely necessary.

Secure Remote Connection

Connection to the office should only be made using a secure VPN (Virtual Private Network).

Password Security

Passwords used should be unique and no less than 12 characters on all devices being used, the longer the better.

End-Point Protection and Patching

Employees using a personal computer/laptop should make sure there is up to date anti-virus software installed and the operating system is up to date with updates/patches, including 3^rd party software, downloaded and installed on regular basis.

Wi-Fi Security

If using a wireless connection, make sure the connection is encrypted and the wireless password is strong.

Confirm that the login and password for the router (usually provided by the ISP, Internet Service Provider) has been changed. Most personal routers still have the default login and password which is not only weak, but also known across the Internet and easily searchable online.

User Awareness

Lock your computer/laptop screen when you walk away or are finished working.

Stay vigilant when it comes to phishing emails.  Phishing emails are up 667% and according to Google 81 million phishing emails containing malware are being sent each day. Verify, Verify, verify before providing personal information or doing a financial transaction.

Notify your IT company IMMEDIATELY if you possibly clicked on or downloaded something suspicious.  The quicker they can run mitigation the better.

As many of you are aware hacking is big business costing many businesses a ton of money. 

Many hackers are employed just like we are. They are given quotas to meet, deadlines, and are expected to perform in order to keep their job.

Let’s make it hard for them to stay employed! 

SME is here to assist in any way that we can.  If you have any questions about working securely from home or any other IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

Stay Safe, Healthy, and Sane!

Use a Security Application

This can be in the form of an antivirus, anti-malware, or firewall application. These applications come in both free and paid versions. This can be a confusing process but by looking at reviews and comparing these tools to find the right one for your specific needs. Some companies will even include all of these tools in one standalone application.

Don’t Click on Just Anything

Be cognizant of what it is that you are trying to access online. Many of the attacks we see and hear about in the news started off with someone clicking on a link they thought was legit but was in reality a malicious link or email attachment that unknowingly installed software.

Learning what the tell-tale signs of phishing sites and malicious URL’s is a very valuable skill for every online user to have. Instead of immediately clicking on the link, ask yourself, “Am I expecting this email from so-and-so? Did I sign up for this?”. Another trick we call can do is to hover over the link (not clicking it) and see if the URL is taking you to a legit website, or if the URL is a confusingly long and obfuscated, seemingly random string of characters; if so then you can probably guess that it is not something you want to click on.

Also, to cover our previous point of using security applications, there are some anti-malware and applications that offer real-time scanning and browser protection that warns or advises users that the link or website they are attempting to visit may contain malicious content. These tools can further protect you from downloading ransomware, adware, or trojan horses from infecting your device.

The Password is Strong with This One

123456, password, iloveyou

Recognize any of those? If so then they may just be one of your passwords, and if they are then you may want to check and see if you’ve been pwnded. Not all hackers are like the ones you see in the movies, they don’t’ all wear black hoodies, slam back energy drinks, or listen to techno music while they take down the Gibson. However, all hackers LOVE easy to guess passwords! One of the most common entry points for cyber-attacks is a weak password that you are using to try and secure your online account.

Here is a short list of the 30 most commonly used passwords of 2020

Using one password decently strong for every account is a dangerous game to play with your online security, using one weak password for your accounts, you may as well just leave the door wide open. Point of this? Use strong passwords! Strong passwords can be difficult to remember, sure. However, there are smart people who have thought of this already and offer solutions for us. Password managers like LastPass and BitWarden both offer free and premium solutions for not only generating extremely strong passwords, but storing them for you as well, better yet, they even offer plugins that will auto-inject these passwords into your online accounts so you don’t have to copy and paste them yourself. Another, easier to remember solution is to use passphrases instead of passwords. Using multiple words strung together to create a phrase adds variation to the password, this way you can still remember multiple passwords easily and are still getting strong passwords that protects your accounts.

History

Since its inception in 2004 Cybersecurity Awareness Month has had one main goal: making Americans safer and more secure online. Launched as a collaborative effort by the Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA) C.A.M strives to increase the importance of cybersecurity across our Nation, attempting to ensure that as many Americans have the resources needed in order to practice their own cyber hygiene at home, or in a corporate environment.

Now, 16 years later Cybersecurity Awareness Month has grown into somewhat of a grassroots campaign, with massive efforts being led by the participation of many large companies in the industry, as well as government agencies all in an attempt to engage their customers, employees, college campuses, and the general public with the idea that every digital user should have some idea of how to be safe and secure while using the Internet.

169 million personal records from financial, business, education, healthcare, and public sectors were exposed in 2015

If You Connect It, Protect It

In order to keep yourself safe online, any device that you are using in order to access content from the Internet needs to be protected. This can be as simple as keeping the device up to date with the current software updates available, knowing exactly what it is that you are trying to access online, or ensuring that you are using strong password for every online account.

In order to understand how important Cybersecurity Awareness is, you must first understand that you are a target, you have something that online criminals want, whether it be personal/private information in the form of your date of birth, your mother’s maiden name, or even your healthcare records and credit/debit card information. Threat actors will attempt to use this data in order to try and steal something from you or break into your accounts.